Configuring the HAProxy Router to Use the PROXY Protocol

Overview

By default, the HAProxy router expects incoming connections to unsecure, edge,
and re-encrypt routes to use HTTP. However, you can configure the router to
expect incoming requests by using
the PROXY
protocol instead. This topic describes how to configure the HAProxy router and
an external load balancer to use the PROXY protocol.

Why Use the PROXY Protocol?

When an intermediary service such as a proxy server or load balancer forwards an
HTTP request, it appends the source address of the connection to the request’s
"Forwarded" header in order to provide this information to subsequent
intermediaries and to the back-end service to which the request is ultimately
forwarded. However, if the connection is encrypted, intermediaries cannot modify
the "Forwarded" header. In this case, the HTTP header will not accurately
communicate the original source address when the request is forwarded.

To solve this problem, some load balancers encapsulate HTTP requests using the
PROXY protocol as an alternative to simply forwarding HTTP. Encapsulation
enables the load balancer to add information to the request without modifying
the forwarded request itself. In particular, this means that the load balancer
can communicate the source address even when forwarding an encrypted connection.

The HAProxy router can be configured to accept the PROXY protocol and
decapsulate the HTTP request. Because the router terminates encryption for edge
and re-encrypt routes, the router can then update the "Forwarded" HTTP header
(and related HTTP headers) in the request, appending any source address that is
communicated using the PROXY protocol.

The PROXY protocol and HTTP are incompatible and cannot be mixed. If you use
a load balancer in front of the router, both must use either the PROXY protocol
or HTTP. Configuring one to use one protocol and the other to use the other
protocol will cause routing to fail.

Using the PROXY Protocol

By default, the HAProxy router does not use the PROXY protocol. The router can
be configured using the ROUTER_USE_PROXY_PROTOCOL environment variable to
expect the PROXY protocol for incoming connections:

Enable the PROXY Protocol

$ oc env dc/router ROUTER_USE_PROXY_PROTOCOL=true

Set the variable to any value other than true or TRUE to disable the PROXY
protocol:

Disable the PROXY Protocol

$ oc env dc/router ROUTER_USE_PROXY_PROTOCOL=false

If you enable the PROXY protocol in the router, you must configure your load
balancer in front of the router to use the PROXY protocol as well. Following is
an example of configuring Amazon’s Elastic Load Balancer (ELB) service to use
the PROXY protocol. This example assumes that ELB is forwarding ports 80 (HTTP),
443 (HTTPS), and 5000 (for the image registry) to the router running on one or
more EC2 instances.

The listener for TCP port 80 should have the policy for using the PROXY protocol.

2

The listener for TCP port 443 should have the same policy.

3

The listener for TCP port 5000 should not have the policy.

Alternatively, if you already have an ELB configured, but it is not configured
to use the PROXY protocol, you will need to change the existing listener for TCP
port 80 to use the TCP protocol instead of HTTP (TCP port 443 should already be
using the TCP protocol):